Bright Stove

Reflecting information risk journey

A difference in trust

leave a comment »

Sep 20, 2007 – Yin Chuan (银川) – At the 2nd China Computerworld FSI Security conference today, during the keynote address, Dr Ren JinQian, Chief Engineer of a government body, spoke about the principles and approach of using a risk based approach for information security. Dr Ren highlighted the importance of using risk assessment as a basis for ensuring information security. Three approaches of risk assessment were named: (1) inspection by auditors; (2) self assessment; and (3) third party assessment. Of these approaches, Ren emphasized that self assessment is most important, and should be the focus for all government departments and financial institutions in China. As for third party assessment, it was deemed not as important at this stage. Ren rationalized that third party assessors are not part of the organization, and therefore will not understand the requirements and issues involved, and hence, will have limited contribution. His experience also revealed that some third party assessors had instead of helping in resolving their security problems, used their knowledge to attack their customers’ web site after the engagement. The integrity and reliability of third party assessors are therefore questioned. Finally, Ren expressed concerns of information leakage relating to third parties’ access to organizations’ internal IT environment. Nevertheless, when third party assessors are required, Ren expressed that only authorized third parties should be used. This is critical to ensure confidentiality of information involved, and also integrity of the assessors. Ironically, the topic is about risk management, and in the approach taken, it seems that the risk of using third party assessors is not quite an option yet for management. This reveals a major difference between his approach to risk assessment, and most multi-nationals’, including other governments, in which third-party assessors are often preferred in view of the independency and objectivity of assessment desired. It also illustrates the social trust model at work between the Chinese and Western approaches.


Written by mengchow

November 9, 2007 at 6:49 am

Posted in Risk Management

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: